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Data Subject Access Requests -FAQs 


The General Data Protection Regulation (GDPR), under Article 15, gives individuals or ‘data 
subjects’ the right to request a copy of any of their personal data which are being 
‘processed'(i.e. used in any way) by ‘controllers(i.e. those who decide how and why data are 
processed, e.g. SMEs), as well as other relevant information (as detailed below). These 
requests are often referred to as ‘data subject access requests’, or ‘access requests’. 


These requests must be responded to free of charge and in an accessible form, and SMEs 
should seek to facilitate access requests being both made and responded to easily, 
including electronically where appropriate and where the individual wishes. 


The following guidance should answer some of the most frequently asked questions by SMEs 
who are struggling to deal with the access requests they are receiving. 


When is an individual entitled to make an access request? 


There are no special conditions that need to be satisfied in order for an 
individual to be entitled to make an access request. An individual can make an 
access request to any SME who they think might be processing their personal data. 


What information is an individual entitled to when they make an access request? 


There are actually a few different aspects to the right of access under Article 15 GDPR. 
First of all, individuals are entitled to confirmation of whether the SME is processing 
any of their personal data, which means any information which concerns or relates to 
them. Where that is the case, they are also entitled to a copy of their personal data. 
Further, individuals are entitled to other additional information about the processing of 
their personal data. 


The additional information individuals are entitled to includes: the purposes of the 
processing; the categories of personal data processed; who the personal data are 
shared with; how long the personal data will be stored; the existence of various data 
subject rights; the right to lodge a complaint with the relevant Data Protection 
Authority; information about where the data were collected from; the existence of 
automated decision-making (such as ‘profiling’); and the safeguards in place if the 
personal data are transferred to a third country or international organisation. In many 
cases, SMEs will already be providing this information to data subjects, such as through 
their privacy notice. 


How broad can the scope of an access request be? 





Whilst an individual is entitled to access to any or all of their personal data, where an 
SME processes a large quantity of information concerning the individual, the SME 
should be able to request that the individual clarify the request, by specifying the 
information or processing activities which they want access to or information on. 





This should only be done where reasonably necessary to clarify a request, and not to 
delay in responding to it. Where an SME asks an individual to clarify their request, they 
should let them know as soon as possible. If the individual refuses to clarify the 
request, the SME will still need to comply with the original request. 


Does an access request have to be made in writing? 


The GDPR does not set out any particular method for making a valid access 
request, therefore a request may be made by an individual in writing or verbally. 
Where an access request is made verbally, it is recommended that SMEs record the 
time and details of the request, so that they can ensure they comply with and do 
not misunderstand the request. SMES may want to follow up with individuals in 
writing to confirm that they have correctly understood the request. 


Some SMEs may wish to use standard or online forms for individuals to submit access 
requests through -Recital 59 GDPR even encourages this for electronic requests. Whilst 
such forms can help streamline the exercise of the right of access and support 
consistency and timely responses, SMEs should keep in mind that access requests 
can still be validly made by other means, such as letter, email, telephone call, or even 
through social media. 


Where an access request is made, anSME may invite or encourage the individual 
to submit it through their designated form instead, but they should make it clear that 
this is not compulsory, and the deadline for responding to the access request begins to 
run from the time the valid request is made by any means, not only through the 
designated form. Nevertheless, an online form will often be the most efficient method 
for an individual to make their request and have it responded to in a timely manner. 


Does an access request have to be made to a specific contact point designated by the 


SME? 





As with the question regarding the format an access request may take, where SMEs 
have a particular contact point or member of staff designated for handling access 
requests, contacting them will normally be the most efficient way for an individual 
to have their request responded to promptly, but it should not be considered 
mandatory. 


It is possible that avalid access request may be made to any member of staff of 
an SME. This may present a challenge, particularly in absence of sufficient 
awareness or training regarding data protection obligations. SMEs should ensure that 
systems are in place so that all valid access requests are actioned appropriately - 
particularly regarding staff who regularly interact with customers or the public. 





As with standard forms, anSME may encourage data subjects to contact the 
designated contact point, but they cannot oblige them to do so. Therefore, where 
a request is made to another member of staff, the clearest approach may be to 
forward the request to the correct contact point, whilst copying in the individual 
and explaining the process for handling the request. 


Are there other formalities required for a valid access request? 


There are no other formal requirements for an access request to be valid, other than 
that the request is sufficiently clear to act upon, and that the identity of the requester 
is sufficiently clear. Individuals should be sufficiently clear about what information they 
are seeking, and proof of their identity should only be requested where reasonable 
and proportionate to do so. Where the SME does require more information or proof of 
identity, they should inform the requester as soon as possible, and the time limit for 
responding to the request begins when they receive the additional information. 


Seeking proof of identity would be less likely to be appropriate where there was no real 
doubt about identity; but, where there are doubts, or the information sought is of 
a particularly sensitive nature, then it may be appropriate to request proof. SMEs 
should only request the minimum amount of further information necessary and 
proportionate in order to prove the requester’s identity. 


Further, there is no need for an individual to use a particular form of words, or 
even to specifically mention data protection legislation, to make a valid access request; 
however, it may be helpful for the sake of clarity to mention that the request is an 
access request, pursuant to the relevant data protection legislation. 


How long does an SME have to respond to an access request? 


SMEs who receive a valid subject access request must respond to the request without 
undue delay and at the latest within one month of receiving the request. SMEs can 
extend the time to respond by a further two months if the request is complex or they 
have received anumber of requests from the same individual, but they must still 
let the individual know within one month of receiving their access request and explain 
to them why the extension is necessary. 


Further, it is good practice for SMEs to keep requesters regularly updated on the 
progress of their request, and give them sufficient notice in advance of any potential 


delays or requests for clarification or proof of identity. 


How should SMEs provide the information to individuals? 





The general rule is that an SMEs should respond to an individual's access request in the 
same way the request was made, or in the way in which the requester specifically 
asked for a response. Where a request is made electronically, SMEs should provide 





the required information in a commonly used electronic format, unless the individual 
requests otherwise. 


Where an individual makes a verbal access request, they may want or be 
satisfied with a verbal response to their access request, depending on the nature of 
the request. SMEs should consider keeping a record of the verbal response issued, 
as well as what they understood the request to be.If a request asks that the 
response be made in writing, SMEs should provide the response in writing to the 
address provided. 


Can SMEs charge a fee for responding to an access request? 


In most cases individuals cannot be required to pay a fee to make a subject access 
request. Only in certain very limited circumstances, per Article 12(5) GDPR, where the 
initial request is ‘manifestly unfounded or excessive’(which the SME must prove),can 
An SMEs charge a ‘reasonable fee’ for the administrative costs of complying with 
the request. SMEs are also allowed to charge a reasonable fee, based on 
administrative costs, where an individual requests additional copies of their personal 
data undergoing processing. 


Are there any other limitations on the right of access? 


Under Article 12(5)GDPR, in limited circumstances, where an access request is 
‘manifestly unfounded or excessive’, an SME may also, where appropriate, refuse 
to act on the request. This is, however, a high threshold to meet, and the SME must be 
able to prove that the request was manifestly unfounded or excessive, in 
particular taking into account whether the request is repetitive. There should be 
very few cases where a SME can justify a refusal of a request on this basis. 


There is a general limitation on the exercise of the right of access under Article 15(4) 
GDPR, which states that the right to obtain a copy of the personal data undergoing 
processing should not negatively impact (‘adversely affect’) the rights and freedoms of 
others, such as privacy, trade secrets, or intellectual property rights. However, where 
an SME does have concerns about the impact of complying with a request, their 
response should not simply be a refusal to provide all information to the individual, 
but to endeavour to comply with the request insofar as possible whilst ensuring 
adequate protection for the rights and freedoms of others. 


Whilst the right of access to personal data is a fundamental data protection right it is 
not an absolute one, and is subject to a number of limited exceptions. Article 23 GDPR 
allows for data subject rights to be restricted in certain circumstances. Any such 
restrictions must be set out in a ‘legislative measure’, respect the essence of the 
fundamental rights and freedoms, be necessary and proportionate in a democratic 
society, and safeguard aninterest of public importance. 





Accordingly, if an SME considers that it is justified in withholding certain information in 
response to an access request it must identify an exemption under the GDPR, provide 
an explanation as to why it applies, and demonstrate that reliance on the 
exemption is necessary and proportionate. 





